another URL:Mal

Hello everyone, new here.
And I’ve recently been having a URL:Mal problem, like so many others I’ve seen on this forum.
So here is the story:
One day I was reading a manga and my browser closes randomly, suspicious I check out my processes and eventually found a virus. It was a pain to get rid of but I got it completely removed to the best of my knowledge. And recently I’ve run more scans with other AV scanners and found a few more, removed those too. But I still keep this URL:Mal blocked randomly when on Google. It redirects me to this weird website that has a IP in the front. At 64.111.211.158 on firefox.exe

Hope you can help!

hello kash we first need to see your ots log and then i can proceed with the removal,so:

Download OTS to your Desktop and double-click on it to run it
Make sure you close all other programs and don’t use the PC while the scan runs.
Select All Users
Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

Under the Custom Scan box paste this in

%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Please attach the log in your next post.
Edited to add custom scans

Please ensure that all logs are saved in the ANSI format

Thanks for the fast reply
The .txt file was too large for upload on here
so I’ve compressed it and uploaded it to mediafire.

http://www.mediafire.com/?mn848y4vz6dbhu0

cant see your ots log i had told u to save it in ansi format pls do the same and post it on next reply pls dont post it again in the RAR format.

@kash the log is posted correct…

I have notified Essexboy so wait for his advice…

he is usually in here 8:00pm - 11:59pm UK time

how do i see it then pondus.

you super duper virus buster figure it out… :wink:

;D 8)

;D ;D ;D ;D ;D ;D ok will do it myself…

pls tell me how to view it i give up i agree i am a little proud of myself i am sorry man!!!now tell me how to view it…pls pretty pls…

Kash’s OTS log,here you go http://www.mediafire.com/?6ily91non8nlzw6

C:\WINDOWS\system32\giveio.sys this file is known to be as a tdss rootkit if it is not associated with any program according to the info that i have gathered so the ots log doesnt show any program name in front of it.That means this should be the tdss rootkit.Kill it now via:

*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Just open the .RAR archive and extract the OTS.txt file, simple.

“rar format”? Care to explain a n00b like me how to save a text file in “rar format”?

Seriously though, if you don’t even know how to open archives, why, why are you even trying to provide help?

…Or are you here to destroy all our computers via your “help”? I’m scared. :frowning:

Hi Altarir,

It would be better if com155 would first go to get trained at the places that are meant for that,
gets a proper qualification as a qualified malware remover and then come back here,

polonus

Haha I kind of laughed when I read about that .rar file situation.

It’s not that hard to extract a .rar file, it’s just like .zip. Haha

And to the thread starter : I got my URL Malfunction by reading manga too! :stuck_out_tongue:

My story : http://forum.avast.com/index.php?topic=81073.0

Haha I enjoy reading other people’s threads too.

yes, exactly. I’m just curious as to why he’s actually posting advices without training first, after being told numerous times that he’s wrong.

So I’m hoping to get answer to this question from him. I mean adequate answer, not “i’m indian expert” or “i’ll improve in future”.

Although I probably won’t get it anyway. But at least I’ve tried.

On completion of this run can you let me know if the problem persists

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (srvE84) srvE84 [Auto | Stopped] -> 
[Registry - Safe List]
< FireFox Extensions [User Folders] > -> 
YY -> XUL Cache   -> C:\Documents and Settings\Kash\Application Data\Mozilla\Firefox\Profiles\yljv4vyr.default\extensions\{52e21792-7d01-482b-8dff-17fc4657b665}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {0D1F7040-49E7-44F3-AFDD-E063A520F57f} [HKLM] -> C:\WINDOWS\system32\atipdlxx32.dll [Reg Error: Value error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\system32\XAPOFX1_232.exe" -> [C:\WINDOWS\system32\XAPOFX1_232.exe:*:Enabled:Windows Update Service]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\system32\XAPOFX1_232.exe" -> [C:\WINDOWS\system32\XAPOFX1_232.exe:*:Enabled:Windows Update Service]
[Registry - Additional Scans - Safe List]
< SafeBoot-Minimal Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
YN -> srvE84 -> 
[Files/Folders - Modified Within 30 Days]
NY ->  171055953 -> C:\WINDOWS\System32\171055953
NY ->  atipdlxx32.dll -> C:\WINDOWS\System32\atipdlxx32.dll
NY ->  yby.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\yby.exe
NY ->  wus.exe -> C:\Documents and Settings\All Users\Application Data\wus.exe
NY ->  vuj.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\vuj.exe
NY ->  ukl.exe -> C:\Documents and Settings\All Users\Application Data\ukl.exe
NY ->  ujv.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\ujv.exe
NY ->  kat.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\kat.exe
NY ->  hhm.exe -> C:\Documents and Settings\All Users\Application Data\hhm.exe
NY ->  fty.exe -> C:\Documents and Settings\All Users\Application Data\fty.exe
NY ->  dcs.exe -> C:\Documents and Settings\All Users\Application Data\dcs.exe
NY ->  j32fl865s40d45oky84k7k52hiujn68p040 -> C:\Documents and Settings\Kash\Local Settings\Application Data\j32fl865s40d45oky84k7k52hiujn68p040
NY ->  j32fl865s40d45oky84k7k52hiujn68p040 -> C:\Documents and Settings\All Users\Application Data\j32fl865s40d45oky84k7k52hiujn68p040
NY ->  tss.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\tss.exe
NY ->  tii.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\tii.exe
NY ->  ofm.exe -> C:\Documents and Settings\All Users\Application Data\ofm.exe
NY ->  nkd.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\nkd.exe
NY ->  kot.exe -> C:\Documents and Settings\All Users\Application Data\kot.exe
NY ->  hkv.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\hkv.exe
NY ->  gpb.exe -> C:\Documents and Settings\All Users\Application Data\gpb.exe
NY ->  ejm.exe -> C:\Documents and Settings\All Users\Application Data\ejm.exe
NY ->  duh.exe -> C:\Documents and Settings\All Users\Application Data\duh.exe
[Files - No Company Name]
NY ->  atipdlxx32.dll -> C:\WINDOWS\System32\atipdlxx32.dll
NY ->  yby.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\yby.exe
NY ->  wus.exe -> C:\Documents and Settings\All Users\Application Data\wus.exe
NY ->  vuj.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\vuj.exe
NY ->  ukl.exe -> C:\Documents and Settings\All Users\Application Data\ukl.exe
NY ->  ujv.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\ujv.exe
NY ->  kat.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\kat.exe
NY ->  hhm.exe -> C:\Documents and Settings\All Users\Application Data\hhm.exe
NY ->  fty.exe -> C:\Documents and Settings\All Users\Application Data\fty.exe
NY ->  dcs.exe -> C:\Documents and Settings\All Users\Application Data\dcs.exe
NY ->  j32fl865s40d45oky84k7k52hiujn68p040 -> C:\Documents and Settings\Kash\Local Settings\Application Data\j32fl865s40d45oky84k7k52hiujn68p040
NY ->  j32fl865s40d45oky84k7k52hiujn68p040 -> C:\Documents and Settings\All Users\Application Data\j32fl865s40d45oky84k7k52hiujn68p040
NY ->  tss.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\tss.exe
NY ->  tii.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\tii.exe
NY ->  ofm.exe -> C:\Documents and Settings\All Users\Application Data\ofm.exe
NY ->  nkd.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\nkd.exe
NY ->  kot.exe -> C:\Documents and Settings\All Users\Application Data\kot.exe
NY ->  hkv.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\hkv.exe
NY ->  gpb.exe -> C:\Documents and Settings\All Users\Application Data\gpb.exe
NY ->  ejm.exe -> C:\Documents and Settings\All Users\Application Data\ejm.exe
NY ->  duh.exe -> C:\Documents and Settings\All Users\Application Data\duh.exe
[Custom Scans]
YY ->  LoLRecommendedItems.exe -> C:\LoLRecommendedItems.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Thanks essexboy
I’ve applied the fix and run it I will post the log below.
Also I will be searching on google to see if I get redirected to the bad IP and will post on here if it does.

So I guess I’m going to stick away from the manga for now until this is solved.

The website I supposedly got the virus from is www.mangafox.com if your curious.

+1